UnitedHealth’s Cyberattack Response Costs To Surpass $2.3B This Year

Dive Brief:

• UnitedHealth’s costs of recovering from the massive cyberattack on its payments processor are shaping out to be higher than the healthcare behemoth originally thought, according to new financial projections.
• On Tuesday, UnitedHealth raised its full-year outlook for the total cyberattack impacts to between $2.3 billion and $2.45 billion, up roughly $1 billion from its previous expectations.
• The Minnetonka, Minnesota-based company reported a profit of $4.2 billion in the second quarter, down from almost $5.5 billion same time last year in large part due to costs from the cyberattack, which is shaping up to be one of the worst to ever hit the U.S. healthcare sector. Still, UnitedHealth’s revenue was up almost 7% year over year to $98.9 billion in the quarter.

Dive Insight:

Change, which handles a significant portion of the healthcare industry’s billing operations, was hit with a ransomware attack in February that quickly threw U.S. payments processing into disarray. Reimbursement for many providers ground to a halt after UnitedHealth shut down its IT systems.

Meanwhile, UnitedHealth paid a $22 million ransom to the cybercriminals that failed to protect patient data, some of which has ended up on the dark web. The attack impacted the information of an estimated one-third of Americans.

UnitedHealth has since restored the majority of affected Change services. Yet Change’s provider and pharmacy clients, many still reeling financially from the attack, lobbied for UnitedHealth to notify consumers whose data was breached, instead of being responsible themselves. The federal government clarified that consumer notifications could be UnitedHealth’s responsibility, after which Change started notifying its customers if their members’ or patients’ data was exposed.

Change plans to send out letters to individuals themselves in late July.

The costs of producing and mailing those letters, along with ongoing initiatives to respond to the attack, should bump UnitedHealth’s costs of responding to the Change attack this year, according to financial data released Tuesday.

The company’s insurer division UnitedHealthcare also continues to struggle with a persistent increase in medical costs. Its medical loss ratio — a marker of spending on patient care — was 85.1% in the second quarter, up from 84.3% in the prior quarter and 83.2% same time last year.

The rising spending continues to ring warning bells for investors, who asked UnitedHealth leadership on a Tuesday morning call about factors driving the trend.

The increase was mostly due to UnitedHealthcare pausing utilization reviews, prior authorizations and other checks on providers that keep spending in line in the wake of the Change cyberattack, CFO John Rex said on the call.

As a result of that pause, UnitedHealthcare saw a lingering increase in provider coding intensity, according to Rex. However, the upcoding “anomaly” eased after UnitedHealthcare resumed utilization management protocols in mid-April, said UnitedHealthcare CEO Brian Thompson.

UnitedHealthcare’s members also continue to use more medical services, a trend that started hitting payers last year that’s been especially evident in privately run Medicare Advantage plans. Insurers are cutting costs in a bid to to preserve profit margins, which is expected to lead to fewer benefits for MA seniors in 2025.

Insurers are also seeing higher-than-expected utilization in Medicaid. In May, a number of payers — including UnitedHealth — reported a worrying mismatch between patient acuity and the rates their Medicaid businesses are paid by states.

However, “we expect the Medicaid timing mismatch to subside” as rates are updated in the second half of the year, Rex said.

UnitedHealth CEO Andrew Witty also spent much of the call with investors on Tuesday defending UnitedHealth’s size and business practices. The company, which operates the largest private insurer in the U.S., one of the biggest pharmacy benefit managers and a major network of physician practices, has found itself in the crosshairs of antitrust regulators this year.

UnitedHealth is currently being investigated by the Department of Justice for how its businesses, including the overlap between UnitedHealthcare and Optum, affect competition. The Federal Trade Commission is also reportedly gearing up to sue UnitedHealth’s PBM Optum Rx over business practices that allegedly raise the cost of drugs.